Plex Gdm

Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.

Plex.tv GDM client as a go package. Contribute to cnf/go-gdm development by creating an account on GitHub. Activate by selecting 'Go Plex' on the home screen 3 Features 3.1 PleXBMC Addon. PleXBMC supports all the standard functions that an official Plex client offers. Such as: Browse, play and resume media in Plex Media Server sections. Display all intermediate filter menus (selectable by user) Search within library sections.

Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets.

This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery.

'The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),' Richard Hummel, Manager of Threat Intelligence at Netscout told BleepingComputer in an email interview.

'We’ve seen its use as far back as November when activity ramped up, but most of the time, we see its use is in multi-vector attacks rather than as a primary vector, which can result in some uncertainty in finding an exact day it began to be used,' Hummel said when asked of the first time PMSSDP was observed as a DDoS attack amplification vector.

Abused in single and multi-vector DDoS attacks

Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps.

However, as Netscout said, 'multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps.'

Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems.

'It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services,' Netscout added.

'The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers.'

Added to booter services' arsenal

As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services.

These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure.

Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services.

In January, Baidu Security Lab also reported observing DDoS attacks using Plex as an amplification vector.

According to a subsequent report from ZoomEye, not all Plex Media Server versions can be abused by attackers.

Plex network ports

'After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin),' ZoomEye said.

PMSSDP DDoS mitigation

Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience 'partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption.'

While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked.

To mitigate the impact of such attacks, organizations can quarantine end-customer nodes exposed to attacks and/or filter UDP/32414 traffic on abusable nodes.

'Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers,' Netscout added.

'It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.'

DHS-CISA provides guidance on how to avoid becoming a DDoS victim, how to detect DDoS attacks, as well as on what measures to take while being DDoSed.

Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector.

ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.

Update: Added statements from Richard Hummel, Manager of Threat Intelligence at Netscout.

Update 2: A Plex spokesperson told BleepingComputer that the company is testing a patch that provides an additional layer of protection to exposed servers.

The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.

Related Articles:

Distributed denial-of-service attackers have seized on a new vector for amplifying the junk traffic they lob at targets to take them offline: end users or networks using the Plex Media Server.

DDoS amplification is a technique that leverages the resources of an intermediary to increase the firepower of attacks. Rather than sending data directly to the server being targeted, machines participating in an attack first send the data to a third party in the form of a request for a certain service. The third party then responds with a much larger payload to the site the attackers want to take down.

So-called amplification attacks work by sending the third parties requests that are manipulated so they appear to have come from the target. When the third parties respond, the replies go to the target rather than the attacker device that sent the request. One of the most powerful amplifiers used in the past was the memcached database caching system, which can magnify payloads by a factor of 51,000. Other amplifiers include misconfigured DNS servers and the Network Time Protocol, to name only three.

On Thursday, DDoS mitigation service Netscout said that DDoS-for-hire services recently turned to misconfigured Plex Media Servers to amplify their attacks. The Plex Media Server is software that lets people access the music, pictures, and videos they store on one device with other compatible devices. The software runs on Windows, macOS, and Linux.

Plex Gdm Free

In some cases—such as when the server uses the Simple Service Discovery Protocol to locate universal plug-and-play gateways on end users’ broadband modems—the Plex service registration responder gets exposed to the general Internet. Responses range from 52 bytes to 281 bytes, providing an average amplification factor of about 5.

Advertisement

Netscout said that it has identified about 27,000 servers on the Internet that can be abused this way. To differentiate from plain-vanilla, generic Simple Service Discovery Protocol amplification DDoSes, the company is referring to the new technique as Plex Media SSDP or PMSSDP.

Plex Lan Networks Setting

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the Internet,” Netscout researchers Roland Dobbins and Steinthor Bjarnason wrote. “This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.”

In a statement, a Plex spokeswoman wrote:

The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.

The researchers said that wholesale filtering of UDP data over port 32414 by network operators (not end users) has the potential to block some legitimate traffic. Instead, the researchers said operators (again, not end users) should identify PMSSDP nodes on their network that can be abused as DDoS reflectors or amplifiers. The researchers also recommended that ISPs disable SSDP by default in the equipment they provide to subscribers.

Plex Network Ports

The forums section at Plex.tv provides these twothreads that end users can peruse to best address the issue.

Plex Allowed Networks

Post updated to add the third-to-last and last paragraphs.